MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b9347900e27559ba3fcfe186a57ee8d28f8c949442a5d12a4bf9f7ed459114d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Quakbot


Vendor detections: 9


Maldoc score: 10


Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash: 7b9347900e27559ba3fcfe186a57ee8d28f8c949442a5d12a4bf9f7ed459114d
SHA3-384 hash: fa32a79f629cb00d646290af33f764fddda8f74bff3fa0a43be15e9cb2a61ee8ed2a2fdb32981e185fc04de9d013d47e
SHA1 hash: 89bca4aae18925b44b7a6424567d15f8a0139c21
MD5 hash: 16ff3a934cc31ee7e4407caed8b5160b
humanhash: table-uniform-kilo-comet
File name:Compensation-1636332621-09272021.xls
Download: download sample
Signature Quakbot
File size:129'024 bytes
First seen:2021-09-27 15:12:45 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiiTBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAnC
TLSH T130C3AD463797C98BE94913398EE3869B3B72BC20DE72470332457F0E4EB96A18D16653
Reporter @abuse_ch
Tags:1632729661 obama104 Qakbot qbot Quakbot xls


Twitter
@abuse_ch
Quakbot payload URLs:
http://185.250.148.213/44466.7053340278.dat
http://185.183.96.67/44466.7053340278.dat
http://190.14.37.178/44466.7053340278.dat

Quakbot C2s:
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 10
OLE dump
Sections: 21

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
1108 bytesCompObj
2244 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4101831 bytesWorkbook
5662 bytes_VBA_PROJECT_CUR/PROJECT
630 bytes_VBA_PROJECT_CUR/PROJECTlk
7116 bytes_VBA_PROJECT_CUR/PROJECTwm
897 bytes_VBA_PROJECT_CUR/UserForm2/CompObj
9302 bytes_VBA_PROJECT_CUR/UserForm2/VBFrame
10226 bytes_VBA_PROJECT_CUR/UserForm2/f
11272 bytes_VBA_PROJECT_CUR/UserForm2/o
124241 bytes_VBA_PROJECT_CUR/VBA/Module5
13991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
142501 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
151182 bytes_VBA_PROJECT_CUR/VBA/UserForm2
164332 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
172461 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
18138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
19264 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
20256 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
211047 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba
TypeKeywordDescription
AutoExecauto_openRuns when the Excel Workbook is opened
AutoExecauto_closeRuns when the Excel Workbook is closed
IOC190.14.37.178IPv4 address
IOC185.183.96.67IPv4 address
IOC185.250.148.213IPv4 address
SuspiciousRunMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
264
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
Compensation-1636332621-09272021.xls
Verdict:
Malicious activity
Analysis date:
2021-09-27 15:13:08 UTC
Tags:
macros macros-on-open macros-on-close

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Alert level:
4.5%
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Threat name:
Document-Office.Downloader.SLoad
Status:
Malicious
First seen:
2021-09-27 15:13:06 UTC
AV detection:
1 of 45 (2.22%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://190.14.37.178/44466.6342006944.dat
http://185.183.96.67/44466.6342006944.dat
http://185.250.148.213/44466.6342006944.dat
http://190.14.37.178/44466.6343003472.dat
http://185.183.96.67/44466.6343003472.dat
http://185.250.148.213/44466.6343003472.dat

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:buerloader_halo_generated
Author:Halogen Generated Rule, Corsin Camichel
Rule name:TA505_Maldoc_21Nov_2
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377
Rule name:zloader_halo_generated
Author:Halogen Generated Rule, Corsin Camichel

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Excel file xls 7b9347900e27559ba3fcfe186a57ee8d28f8c949442a5d12a4bf9f7ed459114d

(this sample)

Comments